Tutorial - Use an ephemeral CA and revoke ephemeral certificates

In this tutorial, you will learn how to create and configure an ephemeral Certificate Authority (CA) to issue ephemeral certificates, use OCSP to validate the certificate, revoke the certificate using the REST API, and validate that the certificate is revoked.

About issuing and revoking ephemeral certificates

In use cases where you need to issue ephemeral user or device certificates for authentication with a short lifetime, there can still be reasons to revoke these certificates, for example, to block network access. Ephemeral certificates are not stored in the EJBCA database. However, since every certificate issued by EJBCA is in the audit log, it can be extracted from there to get its serial number needed for revocation. EJBCA provides a policy setting on the CA to permit revocation for certificates that are not in the CA database. An example use case is to issue ephemeral certificates with 7- to 21-day validity.

Prerequisites

For this tutorial, EJBCA Community Docker container version 8.3.1 was used.

Before you begin, you will need:

A running EJBCA instance – Click here to learn more.

A running EJBCA instance - Click to learn more

If you don’t already have EJBCA installed, here are some options for you:

Download EJBCA - Free and open-source EJBCA Community version
- There are tutorials to help you, for example, see this one on how to run the EJBCA Docker container: Quick Start Guide - Start EJBCA Container with Client Certificate Authenticated Access.
Try on AWS - Free 30-day trial EJBCA Cloud on AWS
Try on Azure - Free 30-day trial EJBCA Cloud on Azure

To have a Root CA, certificate profiles, end entity profiles, roles, and short-lived ephemeral certificates configured in EJBCA, see this playlist: https://www.youtube.com/playlist?list=PLt17f5skfOPEcg-Hbn4d-YY22wdmnaEa9.
To be familiar with CLI and OpenSSL tools
SSH access to the Linux host where the EJBCA container is running

Step 1 - Start the Docker containers

When an issued certificate does not reside in the database, EJBCA will answer unknown for that certificate when validating with OCSP. There is a setting in the ocsp.properties file in the EJBCA container to make EJBCA respond good for unknown certificates. With an ephemeral container, this setting can be persisted by asserting it in the Docker Compose YAML file.

To configure this OCSP setting, follow these steps:

Use SSH to access the server.
Change directory to the docker compose file.

$ cd ~/containers
Use a text editor to edit the docker-compose.yml file.

$ vim docker-compose.yml
Add a new environment variable OCSP_NON_EXISTING_IS_GOOD and verify the container tag is 8.3.1. The docker-compose.yml should look similar to the following:

version: '3'

networks:

access-bridge:

driver: bridge

application-bridge:

driver: bridge

services:

ejbca-database:

container_name: ejbca-database

image: "library/mariadb:latest"

networks:

- application-bridge

volumes:

- ./datadbdir:/var/lib/mysql:rw

ejbca-node1:

hostname: ejbca-node1

container_name: ejbca

image: keyfactor/ejbca-ce:8.3.1

depends_on:

- ejbca-database

networks:

- access-bridge

- application-bridge

environment:

- DATABASE_JDBC_URL=jdbc:mariadb://ejbca-database:3306/ejbca?characterEncoding=UTF-8

- LOG_LEVEL_APP=INFO

- LOG_LEVEL_SERVER=INFO

- TLS_SETUP_ENABLED=simple

- OCSP_NON_EXISTING_IS_GOOD=true

ports:

- "80:8080"

- "443:8443"
Save and close the file.
Start the EJBCA and MariaDB container with the following command:

$ docker compose up -d
Tail the container logs to validate the OCSP_NON_EXISTING_IS_GOOD setting was detected.

$ docker logs ejbca
The output is similar to the following:

2024-05-23 00:52:55,336+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Configure logging for Application Server

2024-05-23 00:52:55,343+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Configure logging for ejbca

2024-05-23 00:52:55,350+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) uid=10001 gid=0(root) groups=0(root)

2024-05-23 00:52:55,420+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Detected 2 available core(s).

2024-05-23 00:52:55,429+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Detected 4078923776 bytes available host memory.

2024-05-23 00:52:55,435+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Observable at 127.0.0.1:8090 under paths: /health /health/ready /health/live

2024-05-23 00:52:55,451+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) LOG_LEVEL_APP_OCSP_TRANSACTIONS setting is depricated and does nothing

2024-05-23 00:52:55,454+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) LOG_LEVEL_APP_OCSP_AUDIT setting is depricated and does nothing

2024-05-23 00:52:55,458+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) MySQL/MariaDB database.

2024-05-23 00:52:55,471+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Looking for plugins to import and initialize under /opt/keyfactor/ejbca/plugins/.

2024-05-23 00:52:55,474+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Responding with 'good' when receiving OCSP requests for non-existing certificates.

2024-05-23 00:52:55,485+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) External hostname env.HTTPSERVER_HOSTNAME is set to 'ejbca-node1'.

2024-05-23 00:52:55,489+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Cluster Node ID is set to '6fsqlfocqelqhulixc'.

You now have configured EJBCA to respond good for unknown certificates and can continue with creating an ephemeral CA.

Step 2 - Create a crypto token for the ephemeral CA

A CA requires keys to sign issued certificates, CRLs, and OCSP requests when a delegated OCSP signer is not used. Crypto tokens are used to manage cryptographic keys on HSMs and soft keys stored in the EJBCA database.

To create a crypto token, follow these steps:

Go to the EJBCA CA UI and click Crypto Tokens under CA functions.
Click Create new and specify the following on the New Crypto Token page:
- Name: Specify a name for the crypto token, in this example, ephemeralSubCA.
- Type: Select Soft.
- Auto-activation: Select use to allow EJBCA to save the password and reapply it after a restart.
- Authentication Code: Enter a password to be used to activate the crypto token if the container is restarted. In this example, foo123.
Click Save to create the crypto token.
Next, generate three keys:
- In the Name field that says signKey, specify signKey001, select ECDSA P-256 for the key size, and then click Generate new key pair to create the keys.
- Repeat to create the default encryption key: name the key defaultKey001, select ECDSA P-256 for the key size, and then click Generate new key pair.
- Last, repeat to create a test key: name the key testKey, select ECDSA P-256 for the key size, and then click Generate new key pair.
Click Back to Crypto Token overview.

You now have created a crypto token with keys and can continue with creating certificate profiles.

Step 3 - Create and configure certificate profiles

Before creating a CA or issuing certificates a certificate profile is created to assert the proper policy settings.

To create a certificate profile for the CA and end entity, follow these steps:

In EJBCA, click Certificate Profiles under CA Functions.
Click Clone next to the MyPKISubCAProfile certificate profile.
Name the new certificate profile ephemeralSubCA-2y, and click Create from template.
To edit the profile values to fit your needs, find the newly created ephemeralSubCA-2y displayed in the list and click Edit.
On the Edit page, update the following:
- For Signature Algorithm, select SHA256withECDSA.
- For Validity, specify 2y.
Click Save to store the Sub CA certificate profile.
Click Clone next to the ShortLivedProfile certificate profile.
Name the new certificate profile ephemeralMtls-14d, and click Create from template.
To edit the profile values to fit your needs, find the newly created ephemeralMtls-14d displayed in the list and click Edit.
On the Edit page, update the following:
- For Signature Algorithm, select SHA256withECDSA.
- For Validity, specify 14d.
- Select Subject Alternative Name Critical.
- Select Use CA defined OCSP locator.
- For Available CAs, select Any CA.
Click Save to store the certificate profile.

You now have created a new certificate profile for the ephemeral CA and the ephemeral end entity device. Continue to the next step to create the ephemeral CA.

Step 4 - Create the ephemeral CA

The crypto token and certificate profile can now be used to create the ephemeral CA. Policy settings located in the Directives section are set to not store certificate or user data in the CA database.

To create the ephemeral CA, follow these steps:

In EJBCA, click Certificate Authorities under CA Functions.
In the Add CA field, enter the name “ephemeralSubCA-G1” and click Create.
On the Create CA page, update the following:
- Select the crypto token ephemeralSubCA (created earlier) in the Crypto Token list.
- Clear Use User Storage.
- Clear Use Certificate Storage.
- Select Accept Revocations for Non-Existing Entries.
- For Default Certificate Profile for Non-Existing Entries, select the ephemeralMtls-14d.
- For Subject DN, enter CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE.
- For Signed By, select MyPKIRootCA-G1.
- For Certificate Profile, select ephemeralSubCA-2y.
- For Validity, specify 2y.
- Clear LDAP DN order.
- For OCSP service Default URI, enter http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp.
Click Create to create the CA.

You now have created an ephemeral CA that does not store user or certificate data in the CA database and can continue with creating an end entity profile.

Step 5 - Create an end entity profile for the ephemeral device

Before a certificate can be issued, you must create an end entity profile to map the certificate profile, CA, and user token for the issued certificate.

To create the end entity profile, follow these steps:

In EJBCA, click End Entity Profiles under RA Functions.
Select the ShortLivedProfile end entity profile, enter ephemeralMtls for the Add End Entity Profile, and click Clone selected.
Select the created ephemeralMtls end entity profile, and click Edit End Entity Profile to update the following:
- Select Remove for Uniform Resource Identifier (URI) in the Subject Alternative Name section, and click Remove.
- Select DNS Name in the Subject Alternative Name section, and click Add.
- For DNS Name, select Required.
- For Default Certificate Profile and Available Certificate Profiles, select ephemeralMtls-14d.
- For Default CA and Available CAs, select ephemeralSubCA-G1.
Click Save to store the end entity profile.

You now have created an end entity profile to issue an ephemeral certificate from the ephemeral CA and can continue with issuing a certificate using the REST API.

Step 6 - Issue an ephemeral certificate using the REST API

Ephemeral certificates cannot be issued using the EJBCA RA web but rather by using an enrollment protocol or API. To easily submit the pkcs10 to EJBCA, the pkcs10Enroll.sh script is used.

To issue an ephemeral certificate using the pkcs10Enroll.sh script, follow these steps:

Return to the terminal session window that was used to SSH to the server.
Change directories to the location of the pkcs10Enroll.sh script.

$ cd ~/rest-curl

This script is already on the Linux server from the previous tutorial EJBCA REST API CLI. The location of the script is re-used for this tutorial.

Create an OpenSSL configuration file that is used to create the CSR:

$ cat > ephemeral-01.conf <<EOF

[req]

prompt = no

req_extensions = v3_req

distinguished_name = req_distinguished_name

[ req_distinguished_name ]

[ v3_req ]

keyUsage = digitalSignature

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1 = ephemeral-01.test

EOF
Generate an ECDSA P-256 private key:

$ openssl ecparam -name secp256r1 -genkey -noout -out ephemeral-01.key
Generate a CSR with no subject DN using the previously created private key and OpenSSL configuration file:

$ openssl req -new -sha256 -key ephemeral-01.key -out ephemeral-01.csr -config ephemeral-01.conf -subj "/"
Use the pkcs10Enroll.sh script to enroll for the certificate:

$ ./pkcs10Enroll.sh -P ../keyfactorCommunitySuperAdmin.p12 -s foo123 -t ../ManagementCA.pem \

-H ejbca-node1.ejbca-k8s -p ephemeralMtls-14d \

-e ephemeralMtls -n ephemeralSubCA-G1 \

-c ephemeral-01.csr -u ephemeral-01

The credential and Management CA certificate are already on the Linux server from the previous tutorial EJBCA REST API CLI. The location of these files are re-used for this tutorial.

Parse the ephemeral certificate with OpenSSL:

$ openssl x509 -text -noout -in ephemeral-01.crt
The output is similar to the following:

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

66:71:70:5c:d7:08:41:a4:ed:8f:44:da:d5:a2:57:ac:ac:8a:e4:38

Signature Algorithm: ecdsa-with-SHA256

Issuer: C = SE, O = Keyfactor Community, CN = Ephemeral Sub CA - G1

Validity

Not Before: May 26 12:00:13 2024 GMT

Not After : Jun 9 12:00:12 2024 GMT

Subject:

Subject Public Key Info:

Public Key Algorithm: id-ecPublicKey

Public-Key: (256 bit)

pub:

04:fe:1b:6e:56:8e:d5:3a:5c:a4:d4:67:8c:71:94:

3b:49:df:e9:35:7b:e7:e3:dd:c5:9d:7d:55:cc:99:

0c:a3:5d:52:ce:10:2a:6f:c6:20:85:41:d4:08:f0:

57:25:99:46:29:b4:8e:5c:9c:b7:60:dd:ca:79:9d:

41:00:82:b0:86

ASN1 OID: prime256v1

NIST CURVE: P-256

X509v3 extensions:

X509v3 Authority Key Identifier:

keyid:50:22:95:B3:D0:47:2D:DD:43:59:FC:1E:A7:F5:DE:39:17:6F:B0:82

Authority Information Access:

OCSP - URI:http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp

X509v3 Subject Alternative Name: critical

DNS:ephemeral-01.test

X509v3 Extended Key Usage:

TLS Web Client Authentication

X509v3 Subject Key Identifier:

76:77:20:A0:E9:60:2C:21:58:AE:E1:8F:55:04:3C:75:2A:B5:00:68

X509v3 Key Usage: critical

Digital Signature

Signature Algorithm: ecdsa-with-SHA256

30:44:02:20:01:57:7d:7d:61:cc:50:ff:02:1a:25:c0:09:09:

2f:2c:09:e1:5e:27:c5:a2:52:7e:82:75:f9:2c:93:bf:f9:71:

02:20:5b:26:3f:7d:f8:df:20:bd:95:96:9b:12:20:d0:1b:31:

59:14:8f:e7:c8:c7:1c:04:05:e2:8b:57:63:9c:c0:c2

You now have issued an ephemeral certificate that has a validity of 14 days and can continue with performing an OCSP check on the ephemeral certificate.

Step 7 - Validate the issued certificate using OCSP

Next, verify that the ephemeral certificate is valid using OCSP to query EJBCA with OpenSSL. Before performing the OCSP check the CA chain is needed for the issued certificate. The CA chain can be downloaded using the REST API. The serial number for the ephemeral certificate and the CA chain are sent in the OCSP request to EJBCA.

To perform the OCSP check, follow these steps:

Use cURL to download the CA chain:

$ curl --cacert ../ManagementCA.pem --cert-type P12 --cert ../keyfactorCommunitySuperAdmin.p12:foo123 \

-X 'GET' \

'https://ejbca-node1/ejbca/ejbca-rest-api/v1/ca/CN%3DEphemeral%20Sub%20CA%20-%20G1%2CO%3DKeyfactor%20Community%2CC%3DSE/certificate/download' \

-H 'accept: */*'
The output is similar to the following:

Subject: CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE

Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE

-----BEGIN CERTIFICATE-----

MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw

STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw

NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI

zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P

ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud

EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw

YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz

L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v

Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv

b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud

DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6

JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI

-----END CERTIFICATE-----

Subject: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE

Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE

-----BEGIN CERTIFICATE-----

MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw

STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1

MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig

Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI

zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW

dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/

BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/

BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL

vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=

-----END CERTIFICATE-----
Select copy the ephemeral sub CA PEM blob.
Create the sub-ephemeral.crt file:

$ vim sub-ephemeral.crt
Paste the ephemeral sub CA PEM blob:

Subject: CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE

Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE

-----BEGIN CERTIFICATE-----

MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw

STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw

NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI

zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P

ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud

EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw

YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz

L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v

Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv

b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud

DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6

JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI

-----END CERTIFICATE-----
Save and close the file.
Select copy the root CA PEM blob.
Create the root.crt file:

$ vim root.crt
Paste the rootCA PEM blob:

Subject: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE

Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE

-----BEGIN CERTIFICATE-----

MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw

STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1

MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig

Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI

zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW

dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/

BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/

BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL

vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=

-----END CERTIFICATE-----
Save and close the file.
Create the certchain.pem file which contains the root and sub CA PEM blobs:

$ cat sub-ephemeral.crt > certchain.pem

$ cat root.crt >> certchain.pem
Validate the certificate with an OCSP check:

$ openssl ocsp -issuer certchain.pem -cert ephemeral-01.crt -text -url http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp
The output is similar to the following:

OCSP Request Data:

Version: 1 (0x0)

Requestor List:

Certificate ID:

Hash Algorithm: sha1

Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3

Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082

Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438

Request Extensions:

OCSP Nonce:

04103CF6BCE12B7D6EBBFB2887999E4A4D6F

OCSP Response Data:

OCSP Response Status: successful (0x0)

Response Type: Basic OCSP Response

Version: 1 (0x0)

Responder Id: 502295B3D0472DDD4359FC1EA7F5DE39176FB082

Produced At: May 26 12:19:34 2024 GMT

Responses:

Certificate ID:

Hash Algorithm: sha1

Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3

Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082

Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438

Cert Status: good

This Update: May 26 12:19:34 2024 GMT

Response Extensions:

OCSP Nonce:

04103CF6BCE12B7D6EBBFB2887999E4A4D6F

Signature Algorithm: ecdsa-with-SHA256

30:44:02:20:6a:b9:1f:3e:7f:5b:8a:80:dd:b5:7f:63:3c:ec:

5d:57:71:7e:ba:0a:35:bd:64:c3:fa:a3:5a:18:27:7e:d3:41:

02:20:6f:9d:20:c4:0a:61:6e:05:f2:c0:f7:59:06:d8:e7:9c:

12:d1:51:68:58:8a:99:55:7f:59:a5:30:42:69:48:38

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

46:90:a4:e1:9a:31:8b:eb:e0:95:3e:82:60:6d:d4:a5:1b:a3:ce:cc

Signature Algorithm: ecdsa-with-SHA256

Issuer: C=SE, O=Keyfactor Community, CN=My PKI Root CA - G1

Validity

Not Before: May 20 17:38:58 2024 GMT

Not After : May 20 17:38:57 2026 GMT

Subject: C=SE, O=Keyfactor Community, CN=Ephemeral Sub CA - G1

Subject Public Key Info:

Public Key Algorithm: id-ecPublicKey

Public-Key: (256 bit)

pub:

04:c8:23:97:93:fe:c5:0f:3f:37:31:47:ba:32:3d:

a7:01:1e:11:8e:1d:20:eb:cd:17:3e:2c:94:55:5e:

8f:64:ed:7f:61:70:8e:34:51:7a:7c:cc:31:4e:87:

79:eb:79:be:02:e2:a2:e6:28:16:da:93:db:d8:02:

a0:53:bf:c3:c7

ASN1 OID: prime256v1

NIST CURVE: P-256

X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0

X509v3 Authority Key Identifier:

keyid:D5:CE:9D:68:90:BD:88:84:BC:3F:BE:5E:43:AA:E8:D3:24:78:07:95

Authority Information Access:

CA Issuers - URI:http://my.pki/certs/MyPKIRootCA-G1.crt

OCSP - URI:http://my.pki/ocsp

X509v3 CRL Distribution Points:

Full Name:

URI:http://my.pki/crls/MyPKIRootCA-G1.crl

X509v3 Subject Key Identifier:

50:22:95:B3:D0:47:2D:DD:43:59:FC:1E:A7:F5:DE:39:17:6F:B0:82

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

Signature Algorithm: ecdsa-with-SHA256

30:45:02:21:00:cd:a3:a8:2d:b8:44:b3:67:c9:07:32:99:08:

1d:6f:da:e7:fa:24:1a:7d:64:b7:f5:7b:ab:a2:46:7d:b5:57:

25:02:20:53:0a:43:ee:59:57:a5:e8:7d:1d:5a:3b:11:4e:76:

72:35:cf:25:cd:c2:79:1f:72:63:ed:fc:c5:27:4e:cb:c8

-----BEGIN CERTIFICATE-----

MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw

STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw

NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI

zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P

ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud

EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw

YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz

L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v

Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv

b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud

DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6

JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI

-----END CERTIFICATE-----

Response verify OK

ephemeral-01.crt: good

This Update: May 26 12:19:34 2024 GMT

You now have validated that the ephemeral certificate is good using OCSP and can continue with revoking the ephemeral certificate.

Step 8 - Revoke the ephemeral certificate using the REST API

Revoking an ephemeral certificate is done using the EJBCA CLI, REST API, or web services. Ephemeral certificates cannot be revoked using the RA Web because the certificate does not exist in the database.

To revoke an ephemeral certificate with REST API, follow these steps:

Parse the ephemeral certificate with OpenSSL to get the serial number and store that in a variable:

$ export CERT_SERIAL_NUMBER=$(openssl x509 -noout -serial -in ephemeral-01.crt | cut -d'=' -f2)
Revoke the certificate using the REST API:

$ curl --silent --cacert ../ManagementCA.pem --cert-type P12 --cert ../keyfactorCommunitySuperAdmin.p12:foo123 \

-X 'PUT' \

"https://ejbca-node1/ejbca/ejbca-rest-api/v1/certificate/CN%3DEphemeral%20Sub%20CA%20-%20G1%2CO%3DKeyfactor%20Community%2CC%3DSE/${CERT_SERIAL_NUMBER}/revoke?reason=CESSATION_OF_OPERATION" \

-H 'accept: application/json' | jq .
The output is similar to the following:

{

"issuer_dn": "CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE",

"serial_number": "6671705CD70841A4ED8F44DAD5A257ACAC8AE438",

"revocation_reason": "CESSATION_OF_OPERATION",

"revocation_date": "2024-05-26T12:20:16Z",

"message": "Successfully revoked",

"revoked": true

}

You now have revoked the ephemeral certificate and can continue with checking the validity with OCSP.

Step 9 - Validate the revoked certificate using OCSP

After revoking the certificate, the certificate serial number and Issuer DN are added to the CertificateData table in the CA database.

To check the validity of the revoked ephemeral certificate using OCSP, follow these steps:

Validate the certificate with an OCSP check:

$ openssl ocsp -issuer certchain.pem -cert ephemeral-01.crt -text -url http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp
The output is similar to the following:

OCSP Request Data:

Version: 1 (0x0)

Requestor List:

Certificate ID:

Hash Algorithm: sha1

Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3

Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082

Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438

Request Extensions:

OCSP Nonce:

041094666B693277D6CD191D42EC1A7B780B

OCSP Response Data:

OCSP Response Status: successful (0x0)

Response Type: Basic OCSP Response

Version: 1 (0x0)

Responder Id: 502295B3D0472DDD4359FC1EA7F5DE39176FB082

Produced At: May 26 12:23:49 2024 GMT

Responses:

Certificate ID:

Hash Algorithm: sha1

Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3

Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082

Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438

Cert Status: revoked

Revocation Time: May 26 12:20:16 2024 GMT

Revocation Reason: cessationOfOperation (0x5)

This Update: May 26 12:23:49 2024 GMT

Response Extensions:

OCSP Nonce:

041094666B693277D6CD191D42EC1A7B780B

Signature Algorithm: ecdsa-with-SHA256

30:44:02:20:53:9d:7a:15:ca:5c:da:47:7d:f6:49:5d:1b:07:

58:60:c7:a6:63:75:e2:2d:9f:45:5c:f7:55:7e:b0:0c:b4:4c:

02:20:0e:e2:0f:11:31:bb:61:1c:ad:e4:a6:f3:33:90:3a:0e:

ee:48:55:0c:dc:0f:3c:da:37:10:2b:84:7c:dc:d2:b4

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

46:90:a4:e1:9a:31:8b:eb:e0:95:3e:82:60:6d:d4:a5:1b:a3:ce:cc

Signature Algorithm: ecdsa-with-SHA256

Issuer: C=SE, O=Keyfactor Community, CN=My PKI Root CA - G1

Validity

Not Before: May 20 17:38:58 2024 GMT

Not After : May 20 17:38:57 2026 GMT

Subject: C=SE, O=Keyfactor Community, CN=Ephemeral Sub CA - G1

Subject Public Key Info:

Public Key Algorithm: id-ecPublicKey

Public-Key: (256 bit)

pub:

04:c8:23:97:93:fe:c5:0f:3f:37:31:47:ba:32:3d:

a7:01:1e:11:8e:1d:20:eb:cd:17:3e:2c:94:55:5e:

8f:64:ed:7f:61:70:8e:34:51:7a:7c:cc:31:4e:87:

79:eb:79:be:02:e2:a2:e6:28:16:da:93:db:d8:02:

a0:53:bf:c3:c7

ASN1 OID: prime256v1

NIST CURVE: P-256

X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0

X509v3 Authority Key Identifier:

keyid:D5:CE:9D:68:90:BD:88:84:BC:3F:BE:5E:43:AA:E8:D3:24:78:07:95

Authority Information Access:

CA Issuers - URI:http://my.pki/certs/MyPKIRootCA-G1.crt

OCSP - URI:http://my.pki/ocsp

X509v3 CRL Distribution Points:

Full Name:

URI:http://my.pki/crls/MyPKIRootCA-G1.crl

X509v3 Subject Key Identifier:

50:22:95:B3:D0:47:2D:DD:43:59:FC:1E:A7:F5:DE:39:17:6F:B0:82

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

Signature Algorithm: ecdsa-with-SHA256

30:45:02:21:00:cd:a3:a8:2d:b8:44:b3:67:c9:07:32:99:08:

1d:6f:da:e7:fa:24:1a:7d:64:b7:f5:7b:ab:a2:46:7d:b5:57:

25:02:20:53:0a:43:ee:59:57:a5:e8:7d:1d:5a:3b:11:4e:76:

72:35:cf:25:cd:c2:79:1f:72:63:ed:fc:c5:27:4e:cb:c8

-----BEGIN CERTIFICATE-----

MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw

STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw

NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI

zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P

ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud

EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw

YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz

L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v

Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv

b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud

DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6

JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI

-----END CERTIFICATE-----

Response verify OK

ephemeral-01.crt: revoked

This Update: May 26 12:23:49 2024 GMT

Reason: cessationOfOperation

Revocation Time: May 26 12:20:16 2024 GMT

You have now validated that EJBCA returns a revoked OCSP status for the revoked ephemeral certificate, which completes the tutorial.

Next steps and more resources

In this tutorial, you learned how to create an ephemeral CA, issue ephemeral certificates, and revoke an ephemeral certificate using the REST API.

Here are some next steps we recommend:

Learn how to issue certificates from EJBCA through Vault, by following this Tutorial - Use EJBCA with HashiCorp Vault.

If you are interested in EJBCA Enterprise, read more on Keyfactor EJBCA Enterprise.

If you are interested in EJBCA Community, check out EJBCA Community vs Enterprise or read more on ejbca.org.
If you are an EJBCA Enterprise customer and need support, visit the Keyfactor Support Portal.
Discuss with the EJBCA Community on GitHub Discussions.